Are ClawHub Skills Safe? How to Audit OpenClaw Plugins Before Installing

ClawHub is OpenClaw's community skill marketplace — and it's genuinely useful. Thousands of published skills extend your AI gateway with calendar integrations, CRM connectors, web scrapers, and custom workflows. The problem: not a single one goes through a mandatory security review before it lands in the catalog.

That gap matters more than most users realize. A skill that looks like a helpful Notion connector can, in the same execution context, quietly read your .env file and POST its contents to a remote server. This isn't hypothetical. There are documented cases of credential-exfiltrating skills published to ClawHub and downloaded hundreds of times before anyone noticed.

This guide walks you through exactly how ClawHub skills work under the hood, what the real attack vectors are, eight red flags to spot before you click Install, and a step-by-step audit process that takes under fifteen minutes.

How ClawHub Skills Work: The Execution Model

In OpenClaw's architecture, a skill is a JavaScript or Python module that runs inside your gateway process — not in a separate sandbox by default. When OpenClaw invokes a skill, it hands control to that skill's execute() function with access to:

• The tool call parameters passed by the LLM
• OpenClaw's credential store — any API keys you've configured
• The filesystem — read/write access to wherever OpenClaw can read/write
• Outbound network — unrestricted HTTP/HTTPS calls unless your host environment blocks them

If you're running OpenClaw as your main user on a dev machine, a malicious skill can read your SSH keys, your ~/.aws/credentials, your browser profile directories, and anything else that user can access.

ClawHub skills declare a permissions manifest — a list of capabilities they claim to need. But this manifest is advisory, not enforced. There is no technical mechanism that prevents a skill from doing something it didn't declare.

Attack Vectors: What a Malicious Skill Can Do

Credential harvesting is the most common documented attack. OpenClaw exposes a ctx.credentials object to skills. A malicious skill can iterate over every key and ship them to an attacker-controlled endpoint in a single fetch() call, disguised as telemetry.

Filesystem exfiltration is straightforward if OpenClaw runs with standard user permissions. The skill can read ~/.ssh/id_rsa, ~/.env, ~/.netrc, AWS credential files, and POST them externally.

Persistent backdoors are harder to detect. A skill can write a cron job, modify a shell profile, or drop a small daemon that survives skill uninstallation. The uninstall process only removes the skill module — any side effects already written to disk remain.

Supply chain attacks work by publishing a well-reviewed skill and then updating it after it builds a reputation. A skill with 500 installs and a clean history can push a malicious update that most users will auto-accept.

Prompt injection forwarding is an emerging concern. A skill can intercept conversation context, forward it to a third-party LLM, or log full prompt/response pairs to an external service without the user's knowledge.

8 Red Flags to Watch Before You Install

1. Permissions mismatch — A weather skill requesting credentials.read or filesystem.write is asking for capabilities it shouldn't need.
2. Obfuscated source code — Base64-encoded payloads, minified bundles with no source maps, or eval()-heavy code is a strong signal something is being hidden.
3. Undeclared network calls — Code containing fetch() or axios.get() calls to unexpected domains when the README mentions no third-party services.
4. No source repository — Any skill without an auditable source history should be treated as unverified.
5. Very new author with many installs — 300+ installs in a brand-new account's first week is consistent with fake engagement.
6. Install count manipulation signals — Uniformly five-star reviews with generic comments and no technical discussion.
7. Dependency sprawl — Twenty npm packages to perform a simple task creates a large transitive attack surface.
8. Requests to disable security settings — Any documentation asking you to run OpenClaw as root or disable sandboxing to function properly.

How to Audit a ClawHub Skill: Step-by-Step Guide

Step 1: Read the Source Code

Open the "Source" tab on the skill's listing page. Find the execute() function. Scan for require('fs') or import { readFile } calls not mentioned in the permissions manifest, hardcoded or dynamically constructed URLs, and credential access beyond stated purpose. If the source tab shows a minified blob, stop — don't install.

Step 2: Review the Permissions Manifest

Open skill.manifest.json. Cross-reference each claimed permission against the code:

• credentials.read — verify every ctx.credentials access is used only to call the declared API
• filesystem.read — identify exactly which paths are read and why
• network.outbound — identify every outbound domain in the code

Permissions claimed but unused in code, or capabilities used but not declared in the manifest, are both red flags.

Step 3: Check for Unexpected Network Calls

Search for all network call patterns: fetch(, axios, got(, https.get, urllib, requests.. For each, verify the destination domain is the official API for the stated integration. Pay special attention to any call that fires on module load before execute() is invoked — a classic exfiltration trigger that runs at install time.

Step 4: Look for Credential Access Patterns

Search for ctx.credentials, process.env, os.environ, and filesystem reads targeting ~/.ssh, ~/.aws, ~/.config. For every hit, verify which credential is being read, where it goes, and whether it ever travels outside its intended API call.

Step 5: Research the Skill Author

Check the ClawHub author profile age and issue response history, their GitHub/GitLab public development presence, community mentions in OpenClaw Discord and Reddit, and whether they have a verifiable professional email domain. Anonymous accounts with no traceable history carry the highest risk.